See also: IRC log
<trackbot> Date: 15 September 2010
<hhalpin> ?
<mischat> hhalpin: poke
<mischat> +1
<hhalpin> PROPOSED: to accept minutes of Sept 1st meeting: http://www.w3.org/2010/09/01-swxg-minutes.html
<mischat> do people accept last weeks notes ?
<MacTed> +1
<hhalpin> ACCEPTED: minutes of Sept 1st meeting
<hhalpin> scribe: Manu
Harry: meeting next week, discussing Infocard from HIggins project.
<scribe> scribenick: manu
Harry: Don't see any problems there... let's try to get through these actions.
<hhalpin> PROPOSED: to meet again Wed. Sept 22nd (Infocards and Higgins Project).
<hhalpin> ACCEPTED: Meeting next week on Infocards and Higgins project
<hhalpin> 2. Final Report Action Apocalypse
Harry: At this point, we have to
move the wiki to HTML now
... so we can get a coherent draft out to the community
... We wrap up the XG in two weeks!
<hhalpin> ACTION [DONE]: Mischa to put up wiki page about social networks deploying these technologies. (i.e. reference the one from GNU Social?)
<trackbot> Sorry, couldn't find user - [DONE]
Harry: I believe most of the actions have been done.
<mischat> people are welcome
<mischat> :)
Harry: the only action that remains seems to be SWAT use case - Daniel - looking at use case document and move them to a coherent phrasing
<mischat> +1
<mischat> i am happy with that
Harry: unless the group objects, if you could use the use case out to a separate document... does that work for folks?
<melvster> +1
<hhalpin> ACTION [CANCELLED] DKA to shorten too long use-cases and see if he can reference in SWAT test cases.
<trackbot> Sorry, couldn't find user - [CANCELLED]
Scribe notes no objections
<hhalpin> ACTION: hhalpin move use-case appendix to separate document. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action01]
<trackbot> Created ACTION-177 - Move use-case appendix to separate document. [on Harry Halpin - due 2010-09-22].
mischat: One of the <unheard> is currently empty.
Harry: We'll have time during the next two weeks.
<hhalpin> [CANCEL] ACTION: For diaspora to talk about being included in final report (interoperable code-basess agreed to SWAT tests?).
Harry: We're going to cancel the diaspora thing... we ran out of time.
<melvster> diaspora opens code later today here: http://github.com/diaspora
Mischa: I think Henry went through it... haven't had a chance to read through it.
<bblfish> hi
<mischat> hi
Harry: Distributed federated networks?
<hhalpin> ACTION: [DONE] bblfish and mischa to write a new introductory paragraph with definition of social web and case for open-source/business use of standards. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action02]
<mischat> http://www.w3.org/2005/Incubator/socialweb/wiki/FinalReport
<hhalpin> http://www.w3.org/2005/Incubator/socialweb/wiki/FinalReport
Henry: So I added one paragraph... "heres my attempt at a definition..."
<hhalpin> [CANCEL] ACTION: MacTed to add to intro a "user story" of why current approaches don't work.
Harry: Cancelling that action, then.
<cperey> :-)
Harry: tried to setup a call w/ the various browser vendors, do we have any on the call?
<hhalpin> ACTION: [DONE] hhalpin to set up HTML5/Interaction domain telecon before Sept. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action03]
Harry: There is definitely
intrest from Apple, Google, Mozilla on identity in the
browser.
... No answer on Opera yet.
... There is enough interest to get that going.
<mischat> hello
Dirk: Hi, I'm from the Chrome team at Google.
<hhalpin> ACTION: [DONE] bblfish (and paul maybe?) flesh out and draft identity section. [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action04]
<bblfish> who was that from Google?
Mischa: One more comment - all of the XRDFY type stuff... we need to review that.
Aza: I'm here
Harry: Paragraph on mobile seems to be done
<hhalpin> ACTION: [DONE] venezia to do mobile paragraph [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action05]
Harry: W3C strategy is to pull vendors in quickly.
<hhalpin> ACTION: [DONE] hhalpin to work on strategy document [recorded in http://www.w3.org/2010/09/15-swxg-minutes.html#action06]
<hhalpin> 3. Aza Raskin on Privacy Icon
Harry: From a W3C strategy
perspective, we are revamping process to make it more
lightweight.
... Hope to have it sorted out by november.
... Hopefully, more W3C resources to federated social web
area.
... Looking for more vendor input on digital identity.
... W3C should support these identity efforts.
... W3C is not quite sure what the right move to make is yet...
which is why Aza is here today. To see if there is a clear
sign. W3C would like to make a move in this area. Perhaps a
workshop, Perhaps with OpenID Foundation.
<melvster> IIW Europe 11th October by the way
Harry: If there are compelling
technical solutions on the table, W3C may move into a WG on
that.
... This is an issue that is near to W3C's CEO's heart.
his gooey identity-loving heart.
Paul (higgin's project: So, last week at IW in DC there was some meetings - not public info yet, but general idea is there are a number of people involved in active client work.
Paul: The gist of the meetings is that you're going to see a change in the ?IETF? and see some changes in the browser based on the Infocard experience... definitely decisions are starting to get made.
<melvster> Paul Trevithick
<mischat> there you go
Harry: W3C is looking for some technical leadership from people that have been in this space for longer than them... Infocard has been around here for a very long time.
<mischat> http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-22.txt
<mischat> http://www.azarask.in/
Aza Raskin: I'm the create lead for Firefox, used to head up User Experience at Mozilla - did Ubiquity, Geolocation spec, etc.
Aza: Been working on Firefox4
features - working on Privacy for the Web.
... Do a lot of design work - design focus - trying to
understand the privacy space.
<melvster> manu: instead of typing Aza: each time you can just type '...'
Aza: Looking at P3P, Lorie
Craynor Privacy finder, Nutrition labels - one of the things
that we found were that these things were taking a taxonomical
viewpoint.
... We were letting the perfect be the enemy of the good - we
wanted to focus on one question.
<mischat> http://www.slideshare.net/azaraskin/mozilla-privacy-icons-project
Aza: We do not want to make sure a user understands everything in a privacy policy - that is a difficult taks.
<mischat> slides ^^
<mischat> private broswer
Aza: Schematics - looking at
things like Firefox anti-malware site protection.
... We fixed issues, but changes were not understandable to a
end user.
... So, we are asking what 'should' people care about in
privacy?
... That's the one question we're trying to answer... the fewer
choices, the easier it is for people to understand and
care.
<hhalpin> also folks my want to look at Zittrain and co.'s http://www.stopbadware.org/
Aza: Privacy often goes down the
route of per-user or based on preferences, usually based on
defaults - why not help people choose.
... Problem is that people don't usually know what they
want.
... What do you want to eat? Difficult to answer.
<aza> http://www.flickr.com/photos/azaraskin/4786688290/in/photostream/
<mischat> from Sören
Aza: Do you want delicious steak with a little bit of truffle oil and fois gras with a baked potato and mahi-mahi??? People find it easier to say yes to that.
<melvster> ah that's soeren's work, he's part of the SWXG too
Aza: most of US population can be
identified down to name using only - zip code, birthday,
gender
... Those things people feel are not sensitive - first and last
names are more sensitive than those previous three pieces of
information.
... People don't understand the meaning of giving up that data
- so we're the experts, we need to help them understand.
... But simultaneously, every time we ask a user what they
don't care about - we've failed.
... So this is how we ended up with the privacy icons
stuff
... What attributes of privacy should people care about?
... I wanted to go into more basic stuff before delving into
the icons.
... the icons can be highly contentious, so we'll cover that
last.
... our goal is not to make this understandable by
everyone.
... we just need it to work for most people.
... Privacy marketplace... we're not going after Facebook (yet)
with Privacy policieis...
... we're focusing on places where Privacy already affects
you.
... places like sites that say they're not going to re-use your
e-mail address.
... will it change the way you use google or facebook? probably
not
... however, it may make sense on sites that you don't know
anything about.
... we want to get adoptives to understand this
transparency.
... Washington Journal did a cover on all the diferent types of
privacy policies that companies did
... they had to do a ton of digging
... we want to make it simpler
... taxonimical view doesn't work - it's too much
information.
... writing a privacy policy is very company-specific (at
least, that's what the lawyers want us to think)
... when you use an icon, it gets bolted to the very end of the
privacy policy.
... "We do not sell data or barter with your data."
... no matter what the privacy policy says, this is asserted
somewhere in the privacy policy.
... it's a minimum guarantee.
<mischat> http://www.azarask.in/blog/post/what-should-matter-in-privacy/
Aza: we're also trying really
hard not to penalize business as usual.
... it's a fail if people have to put up an icon that scares
people.
... is 3rd party sharing of data suspect?
... it's not
... amazon sharing your addresss with UPS to ship something to
you is 3rd party sharing
... but thats not bad.
... we're still writing some of the legal behind some of the
icons we're doing.
... not everyone has to use a bad icon
... last point that I want to bring up as background
... is that these icons are different from Creative Commons in
a very important respect.
... in CC, everyday authors have to figure out what they are to
license their work under.
... you have to be able to write what your work is licensed
under.
... with Privacy icons, you don't have to do the writing
part... that's the job of the lawyer... we just needt o make
sure these things are readable.
... conditions for Privacy Icons are more lax when deciding
what icon to use.
... why Firefox, why now?
... we thing that the taxonomical look didn't work well, and we
don't think that the product people looked at it in this way
before.
<aza> http://www.flickr.com/photos/azaraskin/4128966575/in/photostream/
Aza: we're looking at what identity in the browser looks like
<aza> http://www.flickr.com/photos/azaraskin/4156454152/in/photostream/
Aza: here are a couple of things
that we're looking at right now
... about what we're thinking of putting into firefox.
<aza> http://www.mozilla.com/en-US/firefox/accountmanager/
Aza: the basic idea is that you
don't need to do the whole signing in/signing out to a
website.
... browser should understand who you are
<bblfish> aza: Are you working on tying this in with the SSL layer?
Aza: Weave
<hhalpin> very nice design BTW
Aza: should understand all of your passwords - getting rid of login
<bblfish> very nice, I present it at all my talks
<paul> agreed
Aza: This is supposed to be a
very fast thing for websites to implement - in 15
minutes.
... So, if we manage to get something like this
... these are early markups
... if we do this, browsers become a user agent to all
sites.
... they are intermediaries of identity. If that is true, then
we own the sign-in sign-out experience.
... decreases sign-up time, increases conversion rate,
etc.
... lots of good things related to this.
... sign in to a site using one button click.
... this also means that we control the way in which end-users
see the sign-up process.
... we have a huge opportunity to affect the way the web
works.
... if this is the case, we can start bubbling up information
about privacy policities.
... Mozilla is very privacy-cognizant
<hhalpin> machine-readable - perhaps in RDFa?
Aza: We need to make sure people
know what their privacy state is... we can tell the user how
the information is used.
... We think that's exciting... we can take a very pro-active
standpoint
... it also helps identify bad-actors... if they don't give any
sort of machine readable form of privacy data.
... So, that's the background.
... Questions?
Mischat: I was wondering how
people are going to be representing the privacy icons.
... If I am a provider, how do I display privacy icons?
Aza: We haven't delved into that
yet - mainly because we want to figure out where to show these
things in the interface.
... What are the things that matter most to people.
<mischat> ok
Aza: Delving into how people link, how to display - is just things to figure out as we move down the path... no strong preferences as long as it is pragramtic.
Henry: Wonder if you're interested in demo by Google
<bblfish> http://code.google.com/p/chromium/issues/detail?id=29784
Henry: Would be interesting to
see how this would work with SSL layer
... if you don't do things over https, then we don't really
have secure identity.
... Just to show how Google/Chrome/Firefox could complement
each other.
... There is a bug report on Firefox on SSL security issue - we
really need Firefox to lead this
<hhalpin> http://www.phreedom.org/research/rogue-ca/
Aza: I'm always sad when CA's get more authority.
Henry: No, we can bypass CAs entirely with this.
<hhalpin> must be careful with CAs.
Henry: Client side certs don't need to have CAs
<aza> http://blog.sidstamm.com/2010/08/http-strict-transport-security-has.html
Henry: That's a big misunderstanding.
Aza: We did just add HSTS
... We really need to discuss having the User Agent
intermediate the login process.
... This solves a big problem.
... Both from a technical as well as a user perspective.
<bblfish> yes definitively allowing the user to see what he logged in as is really important
Henry: I was trying to understand privacy icon work... they don't know there is absence, they know there is presence.
Harry: If you don't have a
license, then we know you're a bad actor.
... These icons may be everywhere?
<melvster> yes about 25%
Harry: There is a substantial minority of people that care about privacy.
<melvster> 'privacy fundamentalists' was the category
Harry: The user must set this in
their privacy settings...
... perhaps we can control what privacy icons appear based on
the site that they refer to?
Aza: Privacy rules are pretty
fascinating.
... We want these icons to be important and universal.
... if the site doesn't have it, perhaps we can crowd-source
the icons to a site.
... as soon as the site puts up info, they get a better
icon
... There are some questions of adoption, in the beginning, we
wouldn't bubble the information up.
... only the 20% that care would see it at first.
... We hope that all major sites adopt it... but it'll take
time.
<Zakim> manu, you wanted to offer RDFa communities help on this
<mischat> Manu: asks about vetting the icons themselves, do you have any relationships with the CC group, for they have lots of experience in this space ?
<hhalpin> manu: any connections to creative commons
Aza: Yeah, so we've worked with Joi Ito and CC guys a bit
<hhalpin> manu: I'm sure RDFa community would be happy to help, I'm on the WG
<mischat> Manu: the microformats/microdata/ and rdfa, would help out, and would give input into this process
Aza: As soon as we have some
legal text, they'll help us there.
... It's incredibly important to people like that.
... As far as actual method of machine readability, there are a
lot of smart people that will solve it.
... Anything that is pragmatic makes sense.
Mischa: Two questions - all this
talk about decentralized social networks - does it fit?
... Do you think privacy icons relate to that?
Aza: potentially, but one of the things we're ignoring is the social networking case.
<mischat> http://semanticidentity.com/Resources/Entries/2010/7/1_Virtual_Goods_+_ODRL_Workshop_2010.html
Aza: granted, when expectations
of privacy on social network is violated.
... people care at that point.
... so there is this secondary use problem.
Mischa: Second question, identity
in the browser: Is that basically a username/password
management thing? Firefox Weave?
... You're not using client-side certs... not using
passwords?
<mischat> ODRL machine readable privacy icons for social networking ^^
Aza: A little bit more than that... one time passwords... name, address, credit card... if people are okay with that in the browser, you can do progressive input to websites.
<hhalpin> contact API - DAP Working Group?
Aza: We should provide an API for this, so it's easier for sites to ask for that data.
<hhalpin> PortableContacts...
Aza: identity starts to become
much more powerful at that point.
... it's interesting middle-ground - the browser isn't just a
client - it also could have a cloud-side to it.
Mischa: So, that's working with the DAP working group?
Aza: Yes.
Mischa: How does privacy icons relate to that group?
<tlr> http://www.w3.org/2010/api-privacy-ws/report.html
Aza: Really like that approach - these are two complementary approaches.
<mischat> http://dev.w3.org/2009/dap/privacy-rulesets/
Aza: Especially around secondary use... many things boil down to that.
Harry: Quite interesting, going
in direction where it could work with federated social
networks.
... Question that I have is: What is the cross-browser work in
this area? You could just push this into Firefox when
ready.
... People most interested in Privacy probably also use
Firefox.
... There are other browsers that have interest in this area -
do you think there is room for cross-browser work?
Aza: yes, the browser agents are
always collaborating in some ways.
... We are also competing... but real interest is in making the
web better.
<mischat> :)
Aza: we'll see other browser vendors do this if it's important.
<hhalpin> then the problem is also multiple devices...
<hhalpin> like identity transfer
Aza: It's not required that it
happens everywhere re: Privacy Icons.
... helps us bootstrap much faster.
... Making all user agents do it? Maybe we can popularize
it?
... maybe if we can get a few million to care about it... that
would be great.
Harry: What about identity over multiple devices?
<dpranke> i can chime in at some point - there's definitely a place and a desire for browser vendors to work together on identity. probably on privacy as well
<hhalpin> http://www.links.org/?p=932
Harry: Are you guys looking at that space as well? How do you transfer identity over multiple devices - Nigori protocol like stuff?
Aza: I'm not the best person to
talk about this - Firefox 4 has sync stuff
... I can transfer where I'm browsing, passwords, etc, between
browsers.
... As long as experience gets richer and richer, that
"identity" will get synched across from point to point.
<mischat> sure, you ask my question hhalpin
Aza: just to make sure that all devices are in sync
Dirk: I agree with almost
everything that Aza has said - the days of us using one browser
on one computer are going away.
... we need to interoperate across browsers.
<cperey> bye bye!
<mischat> bye cperey
Dirk: vendors need to interoperate across browsers.
<cperey> thank you, very interesting talk and discussion!
<hhalpin> Role of the W3C in this sort of work? Workshop? Group?
Harry: Do you think there is a role for W3C here?
Dirk: I think there is always a
role for W3C to work together...
... I'm still trying to understand how we can work
together.
Harry: W3C is definitely interest in work around this.
<dpranke> one more thing … the nigori protocol is definitely interesting
Mischa: When you're thinking about identity, are you always thinking it's going to be inside the browser? Or is there a place for cloud-based identity.
Aza: Whatever solution we go
with, it has to be federated - it has to be distributed.
... We need best-in-class identity via the browser.
<melvster> +1 set up your own servers, yay!
<hhalpin> agreed re nigori protocol
Aza: You shouldn't have to
remember your identity.
... OpenID is a good example of a route that we don't want to
go.
<hhalpin> if you want to chime in on that dirk, just chime in right after mischa.
Aza: Always want an option to do federated identity.
<bblfish> that is what WebID is for :-) solving the nascar problem - login without typing username or password, in one click
Dirk: Nigori is interesting in-so-far as distributing secrets in the cloud.
<hhalpin> yes, we should definitely ping mike hanson for his opinion
Dirk: There are people that are not going to be happy with one company knowing all of your information... so Nigori is an interesting answer to that. I also think WebID is very intersting.
<bblfish> cool :-)
Dirk: The problem with OpenID is the UI/Nascar problem.
Harry: Any more final questions? We're at the end of the hour.
<bblfish> (unemployed now so always happy to help out)
<aza> http://www.flickr.com/photos/azaraskin/4796824084/
<mischat> !?!?
Mischa - this is what the NASCAR problem is about: http://xauth.org/info/
<dpranke> NASCAR - you have to put a whole bunch of icons onto the page
Aza: 3rd party sharing of PII for purposes that you don't intend.
<dpranke> and end up looking like a stock car :)
Aza: These are not mutually
exclusive icons...
... data could be given to law enforcement.
... warrant or not to get data (icon)
... Legal nightmare, at times.
<mischat> these slides, describe them http://www.slideshare.net/azaraskin/mozilla-privacy-icons-project
Aza: Cannot talk about whether or
not you can delete or export PII data (icon)
... How long is your data kept for (icon)
... 3 months, 9 months, 18 months, etc.
... Ads - do you know wheter a site is using ads - don't need
an icon for that, but behavioral tracking is difficult
(icon)
... Does the site give the data to an Ad network? too finiky to
add, but it's our strawman - some more thinking to do on
that.
... We will need to tweak these icons - what can and can't you
do - how can the icons be used on our site.
... We are going to eat our own dogfood.
<bblfish> cool
Harry: Let us know how you want W3C to track or help with your work.
<dpranke> cheers!
<bblfish> thanks all
<hhalpin> trackbot, meeting adjourned
<trackbot> Sorry, hhalpin, I don't understand 'trackbot, meeting adjourned'. Please refer to http://www.w3.org/2005/06/tracker/irc for help
<mischat> um
<melvster> rdf is still in mozilla
<mischat> are things needed to make the minutes and stuff
<melvster> need to upgrade to rdflib
<mischat> rdf is still in mozilla
<mischat> they were super early adopters
<melvster> it wasnt updated for ages
<melvster> also look at the tabulator library ...
<melvster> i think danbri was maintaining the rdf thing in mozilla :)
<melvster> i could be wrong, but he knows about it at least
<mischat> iirc the namespaces they uses on mozilla.org aren't there anymore
<mischat> hhalpin:
<mischat> can you make the minutes and stuff
<mischat> i dont know how to do it
<hhalpin> yes
<hhalpin> it's already done
<hhalpin> trackbot, end meeting
This is scribe.perl Revision: 1.135 of Date: 2009/03/02 03:52:20 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/<unheard>/SWAT/ Succeeded: s/Henry/Harry/ Succeeded: s/Unknown/Dirk/ Succeeded: s/Someone3/Paul (higgin's project/ Succeeded: s/Someone4/Aza Raskin/ Succeeded: s/Henry/Harry/ Succeeded: s/Henry/Harry/ Succeeded: s/Henry/Harry/ Found Scribe: Manu Inferring ScribeNick: manu Found ScribeNick: manu Default Present: +1.540.961.aaaa, manu, +44.208.439.aabb, MacTed, mischat, hhalpin, +1.781.416.aacc, +1.510.931.aadd, +1.650.299.aaee, melvster Present: +1.540.961.aaaa manu +44.208.439.aabb MacTed mischat hhalpin +1.781.416.aacc +1.510.931.aadd +1.650.299.aaee melvster Found Date: 15 Sep 2010 Guessing minutes URL: http://www.w3.org/2010/09/15-swxg-minutes.html People with action items: appendix hhalpin move use-case[End of scribe.perl diagnostic output]